2017 Cyber Security Trends – 20 Professionals Speak Out

VeriClouds recently polled a field of Cyber Security professionals to get their opinions on the predominate threat trends in 2017. Our experts are CEO’s, CISOs, Engineers, Security Architects and Consultants working in universities, private consulting firms and corporations.

Cyber Security 2017 Summary

All responses, including those persons wishing to remain anonymous, were considered in writing this summary.

Ransomware

Ransomware attacks were mentioned in 12 of the 20 (60%) responses. The reason for this particular attack vector increasing in 2017 is attributed to the significant profit potential.

Internet of Things (IoT)

The Internet of Things was mention in 11 of the 20 (55%) responses. IoT devices are relatively new and deployment is driven primarily by time-to-market and profit potential. Security takes time and costs money, so historically it comes to new products almost as an afterthought.

Distributed Denial of Service (DDoS)

DDoS is viewed as an effective strategy for attacking IoT devices by 7 of the 20 (35%) respondents. The reasoning is, that as IoT devices proliferate, DDoS attacks will increase.

Cyber Attacks – New Opportunities

Cloud infrastructure deployments are not actually new, but the deployments are likely to increase exponentially in the next year or two. More deployments provide more opportunities for hackers to seek out those that are vulnerable.
With so many mobile devices in use and growing, mobile malware attacks are also likely to increase. Many people store their critical information on their mobiles (bad idea), so there is a strong incentive for the attacks.
Personal Health Information (PHI) databases and the Smart Home are new opportunities for hackers to explore.

Cyber Attacks – More of the Same

Social Engineering, in its many varieties, will continue to be used as long as it is successful. Professional hacker organizations and State-sponsored hacking are seen as likely to increase because they have been so successful at targeting high-profile organizations and individuals.

Cyber Security 2017 – In The Experts’ Own Words

Below are the responses from those who chose to identify themselves (anonymous not included). Some comments have been edited for clarity.

My take on trends for 2017 is that the biggest threat that organizations face is email – using social engineering to convince people to click. The two biggest threats are phishing (all flavors – regular, spear and whale), and ransomware.

2016 saw a rise in ransomware threats along with the very first large scale DDoS attack ever seen on IoT. These top two cybercrime trends will continue to increase and may even become worse in 2017. Ransomware will remain to be the most aggressive online threat as hackers’ target corporations and demand higher ransom fees leading to significant revenue loss for the affected companies. Companies will begin to invest in ransomware protection.

The increasing number of vulnerable IoT devices on the market will provide new avenues of attacks for malicious users. The problem of default and easy to guess credentials, challenges in updating firmware and patching vulnerabilities will further worsen the cyber risks associated with IoT. DDoS attacks on compromised IoT devices will escalate resulting in large-scale consequences of service interruptions and possible complete shutdown of websites and organizations. The problem here is that IoT devices are designed and deployed without cyber security in mind and unless the device manufacturers, suppliers, and regulators pay attention to security in these devices, the cyber attacks on IoT will only continue to grow more and more.

Hacking is becoming more like organized crime of yesteryear, i.e., the Mafia, with professional hackers organizing teams of criminals that buy sophisticated threat kits on the dark web to carry out multi-faceted attacks that can take days or months to carry out. As these malware kits become more complex, the job of detecting and stopping them will become a greater and more urgent task. Enterprises will increasingly turn to expert security partners to augment their IT security staff to speed the time to detection.

Secondarily, the types of cyber security technology developed and used by intelligence organizations are making their way into the “wild” and governments will need to take extra care to prevent these sophisticated technologies from getting into the hands of cyber criminals.

I expect a massive increase in Ransomware as well as its move beyond data into threats for DDOS, AuthN compromises and such. As a corollary and likely driving large portions of Ransomware will be IOT security vulnerabilities. We’re at the inception of the IOT era and given the slow patch rates, focus on features and time to market the IOT marketplace (connected cars, SCADA, Smart Home devices, etc.) provides limitless opportunity for command and control networks that hold a company hostage for access to their own systems or hold the brand hostage due to mysterious accidents.

Nathanael is a Cybersecurity visionary who’s spent the last decade laser-focused on improving the security posture of the modern enterprise via the integration of IAM with Data Security. Over the last two decades, he’s honed his product and scalability expertise at Sun, Oracle, and Imperva showcasing how these security disciplines can work together to provide a rapid orchestrated deployment and response mechanism that meets today’s emerging security needs.

I think there are two areas that will be ripe for cybercrime increases in 2017. The first is for internet connected devices. The second is for phishing & ransomware.

For devices (aka IoT), the data suggests huge growth in general for both the total number and types of devices hitting the market. Anything from home security and thermostat products to fitness and health products. There are also self-driving cars and a multitude of other products that will absolutely have huge potential impacts if their security isn’t done right out of the box. These devices have a challenge because they need to be easy to configure for the average person who isn’t thinking about security. In many instances, the security is dialed way back just so the user experience is good. This makes the devices more susceptible to DDOS and botnet takeover situations such as in October 2016. There will be lots of opportunity for this segment, as well as the security pros who keep it secure.

Phishing continues to plague businesses of all shapes, sizes, and industries. The reason – it works. It latches on to the weakest link of any organization (its people) and takes advantage of gullibility and improved techniques by the social engineer who can build out a much more realistic and believable experience. Once they’re in, they can lock up a user’s PC and demand money to unlock it. In many cases now, they don’t even do that. They’ll get their money and bail.

Ultimately, there are no easy answers for either of these scenarios. If I had a crystal ball, I’d say cyber crime for each area will increase dramatically in coming years. People are ultimately at the center of the solution for each. For the first, sound SDLC practices and design that uses extensive threat modeling and thinks through initial set-up and user-friendly security controls & settings will go a long way. For the second, training employees to really understand what to look for before they click will help dramatically reduce the risk of phishing and ransomware.

My Top predictions for Cloud:DoS/DDoS: More and more enterprises are joining public cloud for shifting production workloads from internal data centers to Cloud that’s managed by various cloud providers. Attackers are constantly hunting for innovative ways to bring down the services. Considering the history of disruptions (5-hour outage of AWS, Dyn’s DNS infrastructure disrupting Twitter/Spotify/AWS etc) there are potential outages to happen in the next year too.

Software Defined Networking: Insecure configuration of Control and Data Plane Layers will open the doors for the attackers to disrupt your hybrid cloud, private cloud environment. Most of the time teams that configure or manage SDN are not Security folks, hence the risk is double!Ransomware: Malicious software designed to block access to the victim’s files until the victim pays a ransom in Bitcoin is a potential threat that we can see a rise in the next year. With the advent of cloud-based services, this is going to be increasingly common threat next year.Data Loss/Leakage: Growing volumes of sensitive data in the cloud will invite hackers. Trust no one should be the principle to adopt. Strict Key Management Systems (KMS) should be adapted for data at rest and use Transport Layer Security for data in motion.

My Top predictions for Enterprise-level:Mobile Malware: Facing this age old problem that always surfaces with a new face is quite a daunting task! At the enterprise level – effective antivirus products and malware defenses can combat malware to a larger extent. But the problem is with mobile devices joining the corporate internal wireless network are becoming soft targets! Attacks such as memory-resident malware is an emerging trend and forensically difficult to detect. Take a note of that!

My Top predictions for Home User:IoT (Internet of Things): With the advent of Siri and Alexa, Privacy of individuals is undoubtedly a big challenge. This “always on” feature is a bit disturbing fact, though! Though security standpoint of this product is still unclear, but few experts say the product is secure with no obvious backdoors, however, only the times to come will decide the security posture of such products till hacked or especially in cases where software updates/patching flow-in opening the back doors. IoT is next big thing to lookup and a possible source of cyber attacks!

Three trends I believe will get worse in 2017 – Ransomware, Phishing Scams, and DDOS using IOT. Looking at what happened throughout 2016, Ransomware is topping the list. In discussion with clients, this is the number one item they are concerned with. Numerous companies are buying bitcoins as a failsafe in case they do get infected. The costs associated with not paying the ransom are often just too high even when backups are available. As reported by Trendmicro and others, 50 new ransomware families were seen in the first 5 months of 2016 and it only went up from there. ZDNet reported $1 billion dollars in losses to this type of attack in 2016. This is probably the number one money maker for cyber crooks.

Phishing scams, such as spear phishing and whaling, targeted attacks to a small group of executives or a specific high-ranking person in a company, would be my second trend increase. While the time an attacker has to spend on this form of attack is a significantly more than a ransomware attack, the payout is often much bigger chunk. According to the FBI, this form of attack has cost organizations $2.3 billion in the last 3 three years. CEO fraud, or whaling, has resulted in crooks walking away with tens of millions of dollars.

DDOS via the Internet of Things would be my third trend increase in 2017. With so many things interconnected and so little in terms of security built into many of these devices, it is no wonder crooks are using these to disrupt operations. The Dyn DDOS is probably the best example of where things are headed unless security is taken seriously by manufacturers. According to Dyn’s own report, the attacks involved tens of millions of IP addresses via the Mirai botnet. Incapsula has a good report on this botnet and how it is associated with everything from CCTV cameras to DVRs and routers. As our IOT world increases, this attack surface will continue to increase unless major steps are taken to safeguard our devices. Often times these “disruption services” can be sold or rented to cybercriminals who then attack the people or organizations or their choice thereby causing extensive amounts of damage to the victim’s finances and reputation.

Most important Cybercrime Trend in 2017 are Data Breaches and the imminent death of the password and 1FA.

Breaches dominated all of 2016 – from DNC, the US Elections to Yahoo, and State Bank of India getting 600K Debit Cards breached (link here). The tragedy about the last story is that most people in India don’t use online banking, hardly check their monthly statements and a lot of renegade transactions would never be negated or reconciled. For the average Indian citizen, Debit Card Security = Armed guards outside ATM booths or kiosks.

Any website that uses 1FA is in all probability, pwned. All applications need some form of 2FA (not just Amazon, Bank of America, Google or Paypal)
With all the email addresses that can be queried on https://haveibeenpwned.com – it is very likely that any customer that is using your business application already has the same credentials available for anyone to abuse.

You can never be sure if a breached email and password are the same for a pwned site vs your own website. Even checking that makes you a willful felon if you consider Title 18 Section 1030 of the US Civil Code.

You don’t need every user of your website to possess an Authy app or have a cell phone that can receive one-time passcodes. You just need to email that user a six-digit passcode, and on successful login, send out a secure cookie with a GUID. Have the lifetime of that cookie to be 4-8 weeks, and store an SHA-256 hash of the cookie, along with the HTTP_USER_AGENT into the database table for that user row.

Whenever this user tries to log in to your website again from the same computer and browser, the cookie is available and you match up the SHA-256 hash of what you read from the HTTP headers with what was saved for this user in the database table. In addition, you check for correct login email and password to grant the user access.

The user performs 1FA, even though it is 2FA behind the scenes for that period. Even if the user’s email and password for your website are the same is in a breach dump, a hacker in Eastern Europe cannot log in to your website as the OTP sent out would be for the user’s email, not your site. If the user’s email was breached too, then all bets are off.

If you want to avoid the OTP-email thing, you can provide a set of three secret questions and answers and have one of them be answered every four to eight weeks with the login-password combination, to furnish the same secure cookie out for storage.

Assuming that the user’s email is not breached, that user receiving an email with an OTP when she had never logged in earlier would be an incident. There is someone who knows this user’s email and password and tried to log in to your site using those credentials.

What will become more bothersome for us in 2017:
Ransomware. People do naïve things and it is so easy for a software Trojan to sneak into your system. Even now. people download executable programs off the Internet, Torrent, Dark Web and never bother about the veracity of the site or program.

Anti-virus software is technically dead. Malware has grown so lethally polymorphic and stealthy, that outside of tracking actual system calls against the Operating System for resources, virus signatures make no sense when a few hundred thousand distinct pieces of bad, malicious code make it out into the world every week.

You should perhaps do what I heard about an Investment Bank in Singapore do. The laptops and workstations cannot connect to the Internet, at all, even when the laptops are carried home. They can only call methods on a proxy when VPNed in – that verifies the endpoint, works like a great firewall and only lets you connect to a small set of whitelisted company websites and Internet-facing web services. All general browsing is done via a Virtual Machine that spins up, lets you browse and connect to Facebook, Hotmail and has no visibility into the host operating system, internal company network or file structure.

IoT will open the world for botnets that can now own insecure, unpatched devices and use them to mount attacks like the DynDNS takedown late last year.

“In 2017, attacks leveraging Personal Healthcare Information (PHI) will increase, and how PHI is leveraged by attackers will change. In 2016, we saw the compromise of the World Anti-Doping Agency (WADA) by alleged Russian state-sponsored attackers looking to use PHI to embarrass US and UK athletes by exposing their PHI. In 2017, it wouldn’t surprise me to see this tactic become more widespread, with bitcoin changing hands in exchange for the safe return of stolen highly sensitive PHI.”

I think we will continue to learn about large scale organized theft of money from electronic transfer platforms – like what happened to the SWIFT network.

There are fundamental flaws in legacy platforms that were designed with ‘crunchy shell, soft interior’ – where the simple fact that transactions originated from inside the ‘trusted’ network had some special validity or status. It’s the classic problem & takes lots of time and money to re-engineer.

There will be new technologies and better uptake of existing technologies for VPN endpoints, user identification & authentication, and overall recognition of trustworthy devices and users. But it will be not enough, not soon enough to avoid some big dollar value thefts in 2017.

I think the one we expect more of is Ransomware used as a blackmail technique for disgruntled employees. As companies move more of the IT infrastructure to the cloud, it is causing a lot of change and turmoil in IT departments. This coupled with increased pressure to outsource IT is leading to acts of retribution and revenge. And ransomware is an easy way for angry employees to damage their employers.

State-sponsored attacks will also increase. The recent election hack has emboldened state-run hackers.

I think a lot of people believe that the cyber-security landscape will be very different next year with a new president whereupon things may get better or worse. I do hope the new president changes the landscape where the commercial sector is an unlimited bullet sponge for attackers everywhere in the world without consequence.

Perhaps this year the President may even provide safe harbor and reduction in risk from lawsuits brought by others to further damage compromised companies.

I think we’re going to see more *news* about email hacks in 2017, simply because: a) it’s easy to do (from the hacker’s perspective) and b) as we’ve seen, there is often a LOT of ‘click bait worthy’ emails found in such hacks.

But I personally worry a lot more about the undiscovered attacks. We know that even the most expensive traditional cyber security products (e.g. firewalls, IDS, anti-virus) are easily bypassed. That means that that are attackers who are in causing harm but staying under the radar. The more things are noisy with stuff like e-mail hacks, the easier it is for those attackers to stay undetected.

I’m predicting an increase in cyber crime that combines IoT vulnerabilities, botnets, and ransomware. Imagine a botnet that spreads ransomware to “smart” TVs by first exploiting insecure home routers, giving the attacker access to the internal network. I also think the trend of blackmailing users into helping attackers expand their botnets will become more common since it’s very low cost to the attacker. Criminals take what works and build on it, so I expect 2017 will see some creative combinations of existing techniques.

ABOUT VERICLOUDS

VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to support@vericlouds.com